The present disclosure relates generally to installing software on computing platforms.
A computer platform can include a computer and an operating system (OS) running on that computer. Software developers can create code that can be compiled for respective computer platforms and then independently generate native installation packages. Each native installation package can be associated with a specific computer platform, and these native installation packages can be distributed for installation on appropriate machines. Software developers can also create platform independent or “cross-platform” installation packages. A cross-platform installation package can be installed using tools provided by the application developer and/or the developer of the cross-platform package format.
Installation files can be secured using digital certificates and signatures. Digital signature schemes can use public-private key pairs. A digital signature is an encrypted message that can be decrypted with the public key half of a public-private key pair. A file can be signed with a private key, and a digital certificate can include the public key for decryption. Digital signature schemes can use other techniques as well, such as symmetric (e.g., shared-key) techniques that use a shared key for both decryption and encryption.
A digital certificate typically has an associated digital signature and certifies that a particular encryption key belongs to a particular party (e.g., the publisher of a digitally signed application). A digital certificate typically includes information regarding a public key, the owner of the key and the identity of the certificate. The certificate uses a digital signature to bind the key with an identity, with the signature attesting that the identity and the key are validly linked.
A digital certificate can be issued by a trusted third party, such as a Certification Authority (CA). A CA-issued certificate can be signed by a CA private key to certify or attest that a particular encryption key belongs to a particular party (e.g., the certificate holder). Alternatively, a developer can sign an application using its own private key to create a self-signed certificate. With a self-sign certificate, the person issuing the certificate also attests to its validity. Whether CA-issued or self-signed, code signing is often used to secure the delivery and publishing of applications.
Software developers sometimes save money and/or time by using self-sign certificates. Later, they may want to switch to using CA-issued certificates, which can provide greater assurances to end users who are installing the applications. In order to protect the applications and end users, however, the target platform can require that updates to applications be signed by the same certificate as previous releases of the application.